Hostile Networks : how-to-not-log?

manfred_knick · 24 March 2022 10:48

Firewall options for RED interface
Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)

@pmueller: Thanks a lot!
How do I stop / disable having these logged?

Thanks in advance!
Kind regards
Manfred

jon · 24 March 2022 14:01

The only way I know of is to disable the Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.).

manfred_knick · 24 March 2022 16:03

Jon, I love your skill of being funny in a very dry fashion …
Peter’s approach is really valuable -
but the immense amount of flooding is hiding important log entries into being overlooked.
Perhaps one more tick box in the “Log …” section above will be needed?
Kind regards
Yours sincerely
Manfred

jon · 24 March 2022 18:02

What is Peter’s approach? I missed that one.

I am seeing ~11,000 DROP_HOSTILE items per week. All of them in red0 and none in green0 or blue0 or orange0.

So like you…

… I would guess someone smart will create a filter in the Firewall logging section to Log dropped packets from hostile networks (i.e., from red0)

Maybe that is what Peter is working on?

manfred_knick · 24 March 2022 19:30

Introducing elementary network protection: Dropping all traffic from and to hostile networks by default

by Peter Müller, February 23

After activating, the flood started …

jon · 24 March 2022 20:19

Ahh! Got it!

Hopefully it will be updated in a future Core Update!

jaegers49 · 25 March 2022 05:30

Good day all.

If I might suggest reading some of this thread Location Block vs. Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) where there is discussion similar to this. What I have done, to reduce the length of the FW logs, is disable the “Drop packets from and to hostile networks…” and let the location block rule set drop the incoming traffic. I then set up a outgoing firewall rule to drop and log any outgoing traffic to a destination XD, that is the hostile networks. This should reduce your log burden and block the bad traffic.
Hope this helps.
PZ

manfred_knick · 25 March 2022 06:45

Thanks for your hint - and for your proposal as well!
Kind regards
Manfred

jon · 25 March 2022 16:18

Can you post a screen shot of your rule?

manfred_knick · 25 March 2022 18:01

→ IN:
Enabled Location based blocking:
. . . A1 Anonymous Proxy
. . . A2 Satellite Provider
. . . A3 Worldwide Anycast Instance
. . . XD Hostile networks safe to drop

→ OUT:
Correspondingly created four rules @ positions { #1 … #4 ] :

. . . Source: Standard Networks: “Any”
. . . Destination: Location: { “A1” | “A2” | “A3” | “XD” }
. . . Protocol: “All”
. . . . . . . . . . . . . . . . . . . . . “DROP”
. . . [+] Activate rule
. . . [-] Log rule

Unfortunately, e.g. well-respected and renowned “Tagesschau.de” did not load any more.
De-activating #3: == "Location: A3 Worldwide Anycast Instance " allowed it to work again.
Where to place corresponding exceptions has to be investigated …

jaegers49 · 28 March 2022 04:46

Jon, Sorry for the delay, Spring has sprung and the fields need to be tilled. Here is a snapshot, it is not much different than Manfred Posted, but I am just blocking everything heading to the Hostile Networks, aka XD. Location blocking XD is also enabled in Location Block.